March 15, 2024

Introducing Workspace ONE UEM Windows Multi-User

We're excited to announce Windows multi-user support, a game-changing feature that will revolutionize Windows device management in Workspace ONE UEM. Join the EUC Anywhere Workspace Early Access™ program for a glimpse into the future of endpoint management.

Windows multi-user functionality is now available in early access mode for Workspace ONE Unified Endpoint Management (UEM) devices.

In the ever-evolving realm of endpoint management, staying ahead means embracing innovations that redefine possibilities and streamline processes. Today, we're thrilled to introduce a game-changing feature that will revolutionize the way you manage Windows devices: Windows multi-user support. The feature is almost ready for prime time! Early access is now available to collect feedback, with General Availability (GA) to follow.

Traditionally, managing multi-user environments on Windows devices has been fraught with challenges, from cumbersome workarounds to compromises in the user experience. However, with Windows multi-user support, we're breaking down these barriers and ushering in a new era of efficiency and flexibility.

The Intelligent Hub app seamlessly picks up user changes device-side and updates UEM at the backend to reflect the current user. This means that each user's settings, applications, and payloads—such as certificates—are accurately reflected without manual intervention, streamlining the management process for administrators.

The benefits extend far beyond simplifying user transitions. Here's why Windows multi-user support is a significant improvement for endpoint management:

  • Enhanced User Experience: Personalized settings and applications for each user enhance overall user satisfaction and productivity.
  • Efficiency and Productivity: Streamlined device setup and user transitions save valuable time and resources for administrators, allowing them to focus on strategic initiatives.
  • Security and Compliance: Personalized configurations ensure that users have access only to the resources and applications they need, reducing the risk of unauthorized access and ensuring compliance with organizational policies.
  • Cost Savings: Consolidating multiple users onto a single device reduces hardware and software costs, maximizing ROI (return on investment) for your organization.
  • Scalability: Windows multi-user support effortlessly scales to accommodate growing user populations, providing a future-proof solution for evolving business needs.
  • Centralized Management: Workspace ONE UEM offers a centralized platform for managing all aspects of endpoint management, including Windows multi-user support, simplifying administration, and ensuring consistency across the organization.

With Windows multi-user support, the possibilities of endpoint management are being redefined, empowering administrators to deliver a superior user experience while maintaining control and security. Whether you're managing a small team or a large enterprise, Workspace ONE UEM scales to meet your needs, ensuring that every user receives the personalized experience they deserve.

Multi-User Example

Multi-user Windows devices, such as nursing stations and manufacturing floor workstations, are common within many environments. Up until now, managing these devices has been a challenge within Workspace ONE UEM because the workstations could only be managed based on device settings. The new Windows multi-user functionality enables various users to access the same device such that applications, policy settings, and security align with granular user/group requirements.

For example, when Lee uses a Windows workstation on the manufacturing shop floor, his locally installed applications and user experience can now be differentiated from other users, even those that have more robust device privileges and access to additional applications. While Lee is enjoying his lunch break, the Safety Manager, Alex, sees that the Windows workstation is available, and he accesses an application that details the flammability specifications of various shop floor epoxies and validates against nearby fire extinguisher types and agents. Then while walking the shop floor, Lee’s manager, Terry, remembers that she should congratulate Lee on his days worked accident-free and accesses a confidential report to ascertain the exact number of days from that same Windows workstation.

Thus, all three users experience a customized and secure workspace based on the same Windows device.

A purple and orange sign with white text</p> <p>Description automatically generated

Figure 1: Multi-user example

Multi-User Testing Setup

The information below will help you set up the Windows multi-user feature for early testing.

Requirements

  1. OG (Organizational Group) in the UAT tenants CN135/7/8
  2. Directory or Identity Services (SCIM) integration
  3. Windows test VM/device that is on-premises AD (Active Directory) or Entra joined
  4. Agent 23.10 (for upgrade testing)/24.04
  5. Your Windows multi-user use case(s)

Multi-User Functionality Configuration

Configuring multi-user functionality is straightforward and is based on the designation of Intelligent Hub settings. As shown below, simply go to Settings > Device Settings > Devices & Users > Microsoft > Windows > Intelligent Hub Settings.

Figure 2: User attribute mapping

Under the Attributes for Unique Identifier, select the UEM User Attribute that aligns with the desired Client User Attribute as shown below.

UEM User attributes

Client User attributes

Object IdentifierObject GUID
UsernameSam Account Name
Recommended: User Principal NameUser Principal Name
EmployeeIDUser SID
Email address 
Custom Attribute 1-5 

Figure 3: Client mapping attributes

To identify the current logged-in user and match the user to a user object in the UEM console, it is necessary to set up the attributes used for the matching. In the Windows Intelligent Hub settings, administrators should pick the appropriate pair from the possible UEM user attributes and the four attributes that the Intelligent Hub can gather from the device. The recommendation is to use UPN / UPN for the majority of use cases.

Where applicable assigned resources are now based on user assignment, the logged-in user needs to be in the assignment groups for a resource. As shown below, those resources can be applications or profiles in user context.

It is important to plan the assignment of resources accordingly. Especially when switching devices from single-user to multi-user, make sure all users that will log into the Windows device are added to the assignments.

Figure 4: Check User assignments in Applications and Profiles

Confirming Multi-User Settings in the Workspace ONE UEM Console

Once multi-user functionality has been enabled, the Workspace ONE UEM console shows the user mode status within the Devices > List View screen. Where multi-user is shown, this indicates that the device is enrolled with the multi-user capable agent and that multi-user is active.

As shown below, administrators can optionally select to filter devices based on the following:

  • Single-user
  • Multi-user
  • Multi-user capable
  • User reassignment paused

Figure 5: Device list view UI changes, User Modes

Multi-User Flow

Once configured, it’s easy to test the functionality on devices. Install the provided beta Hub and enroll the device. Wait for all enrollment processes to finish and test the user switch. Don’t take user switch literally here; do not use the Windows User Switch functionality, but instead, sign out the current user and sign in with another account.   

Figure 6: Device-side flow

Troubleshooting

If for any reason the assignment is not working even though all prerequisites are in place, initially check the device reassignment logs of the Hub agent. You can find the logs under:

C:\ProgramData\AirWatch\UnifiedAgent\Logs\DeviceReassignment-YYYYMMDD.log

It will show entries for calls to the userswitch endpoint together with the unique identifier configured in the settings. Check whether the user attribute matches the logged-in user and attributes synchronized to UEM.

Current Limitations

There is no beta agent seeded in the UAT environments yet, so you cannot leverage OOBE as it will install an older non-multi-user version of Hub or automatically upgrade to the beta Hub on devices with older versions.

Upgrading devices from older versions does not yet make them multi-user capable but keeps them as single-user devices; this will be addressed in the final release.

How Do I Enable Multi-User Functionality in My Account?

Ready to unlock the full potential of your Windows devices? To enable multi-user functionality, join the EUC Anywhere Workspace Early Access™ program. It is free and allows you to access multi-user and other pre-release functionality. Read through the requirements and register for the program: https://beta-ea.vmware.com/key/getbeta

After validation, Windows multi-user functionality will be enabled, and you can start testing within your environment.

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Overview Win10 and Windows Desktop

Sascha Warno

Read More from the Author

Staff Solutions Architect - Identity & Security, Omnissa Sascha has been with our team for 8 years having joined through the AirWatch acquisition, focusing on Workspace ONE UEM before shifting to Identity & Access Management as well as Security. He provided expertise on Sales and Customer Success teams. He currently provides security and access management guidance as part of the Tech Marketing team.

VIEW MORE

Jo Harder

Read More from the Author

Senior Technical Marketing Architect, End-User Computing, Omnissa. Jo has been working with EUC technologies since 1999 and now focuses on Workspace ONE UEM, specifically Windows and Security. She holds CISSP certification, and her resume includes past roles in Sales, Product Management, Technical Product Marketing, Cloud Architecture in FinTech, Consulting, and Technical Readiness.

VIEW MORE